diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index bb9bb0b..3f90902 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -12,27 +12,105 @@ permissions:
   packages: write
 
 jobs:
-  build-push:
+  build-image:
+    strategy:
+      matrix:
+        architecture: [x86_64, aarch64]
+      fail-fast: false
+    runs-on: ${{ fromJSON(format('["self-hosted", "build", "{0}"]', matrix.architecture)) }}
+
+    steps:
+      - name: Setup docker arch
+        id: setup-docker-arch
+        env:
+          ARCHITECTURE: ${{ matrix.architecture }}
+        run: |
+          case "${ARCHITECTURE}" in
+            x86_64)
+              DOCKER_ARCH="amd64"
+              ;;
+            aarch64)
+              DOCKER_ARCH="arm64"
+              ;;
+            *)
+              echo "Unsupported architecture: $ARCHITECTURE}"
+              exit 1
+              ;;
+          esac
+          echo "DOCKER_ARCH=$DOCKER_ARCH" >> $GITHUB_OUTPUT
+          echo "Docker architecture: $DOCKER_ARCH"
+        shell: bash
+
+      - uses: actions/checkout@v6
+        name: Checkout code
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v4
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v4
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ github.token }}
+
+      - name: Build Docker image
+        run: |
+          docker buildx build --platform linux/${{ steps.setup-docker-arch.outputs.DOCKER_ARCH }} --output type=docker -t ghcr.io/riptideslabs/${{ github.event.repository.name }}:${{ github.ref_name }}-${{ steps.setup-docker-arch.outputs.DOCKER_ARCH }} .
+        shell: bash
+
+      - name: Save Docker image as artifact
+        run: |
+          docker save ghcr.io/riptideslabs/${{ github.event.repository.name }}:${{ github.ref_name }}-${{ steps.setup-docker-arch.outputs.DOCKER_ARCH }} -o image-${{ steps.setup-docker-arch.outputs.DOCKER_ARCH }}.tar
+        shell: bash
+
+      - name: Upload image artifact
+        uses: actions/upload-artifact@v7
+        with:
+          name: image-${{ steps.setup-docker-arch.outputs.DOCKER_ARCH }}
+          path: image-${{ steps.setup-docker-arch.outputs.DOCKER_ARCH }}.tar
+
+  push-manifest:
+    needs: build-image
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - name: Download amd64 image
+        uses: actions/download-artifact@v8
+        with:
+          name: image-amd64
+          path: ./amd64
 
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+      - name: Download arm64 image
+        uses: actions/download-artifact@v8
+        with:
+          name: image-arm64
+          path: ./arm64
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v4
 
-      - name: Log in to GHCR
-        uses: docker/login-action@v3
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v4
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+          password: ${{ github.token }}
+
+      - name: Load images
+        run: |
+          docker load -i ./amd64/image-amd64.tar
+          docker load -i ./arm64/image-arm64.tar
+        shell: bash
+
+      - name: Push images (no manifest)
+        run: |
+          docker push ghcr.io/riptideslabs/${{ github.event.repository.name }}:${{ github.ref_name }}-amd64
+          docker push ghcr.io/riptideslabs/${{ github.event.repository.name }}:${{ github.ref_name }}-arm64
+        shell: bash
 
       - name: Extract metadata
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@v6
         with:
           images: ghcr.io/riptideslabs/keyledger
           tags: |
@@ -41,13 +119,26 @@ jobs:
             type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
             type=edge,branch=main
 
-      - name: Build and push
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          platforms: linux/amd64,linux/arm64
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+      - name: Create and push multi-arch manifest
+        env:
+          TAGS: ${{ steps.meta.outputs.tags }}
+          LABELS: ${{ steps.meta.outputs.labels }}
+        run: |
+          mapfile -t TAGS_ARRAY <<< "$TAGS"
+          TAG_ARGS=()
+          for tag in "${TAGS_ARRAY[@]}"; do
+            [[ -n "$tag" ]] && TAG_ARGS+=("-t" "$tag")
+          done
+
+          mapfile -t LABELS_ARRAY <<< "$LABELS"
+          ANNOTATION_ARGS=()
+          for label in "${LABELS_ARRAY[@]}"; do
+            [[ -n "$label" ]] && ANNOTATION_ARGS+=("--annotation" "index:$label")
+          done
+
+          docker buildx imagetools create \
+            "${TAG_ARGS[@]}" \
+            "${ANNOTATION_ARGS[@]}" \
+            ghcr.io/riptideslabs/${{ github.event.repository.name }}:${{ github.ref_name }}-amd64 \
+            ghcr.io/riptideslabs/${{ github.event.repository.name }}:${{ github.ref_name }}-arm64
+        shell: bash